Work_Archive/VPS-scripts_Ubuntu-Mail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Work_Archive:omega
Branches Tags
Work_Archive:beta Work_Archive:stable Work_Archive:omega Work_Archive:dev Work_Archive:alpha
..
compare: Work_Archive:alpha
Branches Tags
Work_Archive:beta Work_Archive:stable Work_Archive:omega Work_Archive:dev Work_Archive:alpha

3 Commits
omega ... alpha

Author SHA1 Message Date
b.waal
a092b6e775 Update 'installer.sh' 2019-09-10 09:31:59 +02:00
b.waal
d4c74c6590 Update 'installer.sh' 2019-09-10 09:20:44 +02:00
b.waal
19f958be7c Update 'installer.sh' 2019-09-07 01:49:15 +02:00
18 changed files with 118 additions and 994 deletions
Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -2,6 +2,6 @@
Dev = done.
PostixAdmin, Postfix, Dovecot and Sieve working!
## 31-08-2019 / 01-09-2019:
## 31-08-2019
Started Alpha Branch.
PHP7.3 and MySQL 8 working!
PHP7.3 working!

21
README.md
View File

@@ -1,19 +1,8 @@
# Ubuntu-Mail
# Ubuntu-Mail
**Get Started**:
```
wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/omega/installer.sh
wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/alpha/installer.sh
bash installer.sh 2>&1 | tee output.log
```
### Sources
#### This script uses the following repo's as dependencies:
```
* VPS-scripts/Unattended-Security-Updates
* VPS-scripts/Ubuntu-MySQL
```
#### Sources:
```
https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
```
https://linuxize.com/post/set-up-an-email-server-with-postfixadmin

27
config/amavis/15-content_filter_mode
View File

@@ -1,27 +0,0 @@
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return

223
config/amavis/20-debian_defaults
View File

@@ -1,223 +0,0 @@
use strict;
# ADMINISTRATORS:
# Debian suggests that any changes you need to do that should never
# be "updated" by the Debian package should be made in another file,
# overriding the settings in this file.
#
# The package will *not* overwrite your settings, but by keeping
# them separate, you will make the task of merging changes on these
# configuration files much simpler...
# see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
# a list of all variables with their defaults;
# see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
# a traditional-style commented file
# [note: the above files were not converted to Debian settings!]
#
# for more details see documentation in /usr/share/doc/amavisd-new
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listening socket
#$sa_spam_subject_tag = '***SPAM*** ';
#$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
#$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
#$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
#$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 1.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
# Quota limits to avoid bombs (like 42.zip)
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes
# You should:
# Use D_DISCARD to discard data (viruses)
# Use D_BOUNCE to generate local bounces by amavisd-new
# Use D_REJECT to generate local or remote bounces by the calling MTA
# Use D_PASS to deliver the message
#
# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
# mail to your account. Use D_BOUNCE instead, otherwise you are delegating
# the bounce work to your friendly forwarders, which might not like it at all.
#
# On dual-MTA setups, one can often D_REJECT, as this just makes your own
# MTA generate the bounce message. Test it first.
#
# Bouncing viruses is stupid, always discard them after you are sure the AV
# is working correctly. Bouncing real SPAM is also useless, if you cannot
# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
$enable_dkim_verification = 0; #disabled to prevent warning
$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
# Set to empty ("") to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
#
# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
#
# These days, almost all viruses fake the envelope sender and mail headers.
# Therefore, "virus notifications" became nothing but undesired, aggravating
# SPAM. This holds true even inside one's domain. We disable them all by
# default, except for the EICAR test pattern.
#
@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr/.*/ => 1], # true for everything else
));
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# qr'^application/x-msmetafile$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type
# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives
# [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
qr'^\.(exe-ms)$', # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash("/var/amavis/sender_scores_sitewide"),
# This are some examples for whitelists, since envelope senders can be forged
# they are not enabled by default.
{ # a hash-type lookup table (associative array)
#'nobody@cert.org' => -3.0,
#'cert-advisory@us-cert.gov' => -3.0,
#'owner-alert@iss.net' => -3.0,
#'slashdot@slashdot.org' => -3.0,
#'securityfocus.com' => -3.0,
#'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
#'security-alerts@linuxsecurity.com' => -3.0,
#'mailman-announce-admin@python.org' => -3.0,
#'amavis-user-admin@lists.sourceforge.net'=> -3.0,
#'amavis-user-bounces@lists.sourceforge.net' => -3.0,
#'spamassassin.apache.org' => -3.0,
#'notification-return@lists.sophos.com' => -3.0,
#'owner-postfix-users@postfix.org' => -3.0,
#'owner-postfix-announce@postfix.org' => -3.0,
#'owner-sendmail-announce@lists.sendmail.org' => -3.0,
#'sendmail-announce-request@lists.sendmail.org' => -3.0,
#'donotreply@sendmail.org' => -3.0,
#'ca+envelope@sendmail.org' => -3.0,
#'noreply@freshmeat.net' => -3.0,
#'owner-technews@postel.acm.org' => -3.0,
#'ietf-123-owner@loki.ietf.org' => -3.0,
#'cvs-commits-list-admin@gnome.org' => -3.0,
#'rt-users-admin@lists.fsck.com' => -3.0,
#'clp-request@comp.nus.edu.sg' => -3.0,
#'surveys-errors@lists.nua.ie' => -3.0,
#'emailnews@genomeweb.com' => -5.0,
#'yahoo-dev-null@yahoo-inc.com' => -3.0,
#'returns.groups.yahoo.com' => -3.0,
#'clusternews@linuxnetworx.com' => -3.0,
#lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
#lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
#'sender@example.net' => 3.0,
#'.example.net' => 1.0,
},
], # end of site-wide tables
});
1; # ensure a defined return

27
config/amavis/21-ubuntu_defaults
View File

@@ -1,27 +0,0 @@
use strict;
#
# These are Ubuntu specific defaults for amavisd-new configuration
#
# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
$enable_dkim_verification = 1;
# Don't be verbose about sending mail:
@whitelist_sender_acl = qw( .$mydomain );
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 1.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent
$virus_admin = undef;
$spam_admin = undef;
#------------ Do not modify anything below this line -------------
1; # insure a defined return

48
config/amavis/50-user
View File

@@ -1,48 +0,0 @@
use strict;
#
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
# We need to provide list of domains for which filtering need to be done
#@lookup_sql_dsn = (
# ['DBI:mysql:database=postfixadmin;host=127.0.0.1;port=3306',
# 'postfixadmin',
# 'JW9t9ipdgLrWvMqHq7hX']);
# Disable show header recieve from amavisd localhost 127.0.0.1
$allowed_added_header_fields{lc('Received')} = 0;
@inet_acl = qw( 127.0.0.1 [::1] 23.21.136.138/32 );
@local_domains_acl = ( "." );
# Change instance amavisd process
$max_servers = 5;
# Disable quarantine
$clean_quarantine_to = undef; # local quarantine
$virus_quarantine_to = undef; # traditional local quarantine
$banned_quarantine_to = undef; # local quarantine
$bad_header_quarantine_to = undef; # local quarantine
$spam_quarantine_to = undef; # local quarantine
# Don's Discard infected mail
$final_virus_destiny = D_REJECT;
$final_banned_destiny = D_REJECT;
$final_spam_destiny = D_PASS;
# Add Warning to Subject
$sa_tag_level_deflt = -9999; # always add spam info headers
$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '***WARNING-VIRUS DETECTED*** ' ];
$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***WARNING-DANGEROUS DETECTED*** ' ];
# Filter spam mail to Junk folder
$recipient_delimiter = '+';
@addr_extension_spam_maps = ('Spam');
@addr_extension_virus_maps = ('Spam');
@addr_extension_banned_maps = ('Spam');
#------------ Do not modify anything below this line -------------
1; # ensure a defined return

14
config/lets-encrypt/README
View File

@@ -1,14 +0,0 @@
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

31
config/lets-encrypt/cert.pem
View File

@@ -1,31 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
-----END CERTIFICATE-----

27
config/lets-encrypt/chain.pem
View File

@@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

58
config/lets-encrypt/fullchain.pem
View File

@@ -1,58 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

28
config/lets-encrypt/privkey.pem
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4GWcf+xHKurAS
VtN5jbcGN2Zl4aAAFU3dnx/ujSr43OsQizap8XmzHNCxMMdCQVDsGVkva2UFO9gn
Mvh/nos/4W1JPSK9puaV8yWpVy0Z4yEipDm3XY0p4OPl5ehPW50y/Df9fYnSLtwc
lukeq8K13L/3XhLJofDKQXJsLe+GjPXwA9QTSN+TWN+wgHNptGkLkLVIPW60xVyn
N1zt4ijPqwWEjdh5ZW8NF+gWR38P9CGuibSkeGwC2HcVduC9mR/zrnF/8CX8/Ewm
U9lAJiLUrIDHZpFHggU68I+Txr0QV4grH0BVOBy7kI0hbRJFJmlDi761NS3G4Ht0
vtJVuBdtAgMBAAECggEASp1xIJMf2OzlY+lw+LkpTwmxJOXXdXEtB//wbz0kB41y
cFgcJbDLRH8PTmGYwQ+7/pUfgoqifQaOSwTrlr3pblCtfJucswUsO+Y6g3Hjw7Q8
v8+T3O+7wRd3Bryx9UgKZJm5D7KL43Y+nA/GGDpBRnhcDaRBNRu/fhociB/uDrfu
ZpaTBM3E2glXkbKAn2mwrv1sNog7DvgmzqSzcq/OgiDk6GhYeiU9wFlJJkidQmii
HpBe22er6XscTEhhnDvcaljwzwBxOoKI7EoCRTjhLSfU6j+rQXX2y2ODBEWg0yx8
6Lntgl5o4BVaixvZ7pH5mTxLpQ87drq7yXzGzGtwQQKBgQDs+8y0u8a0hj4SxNtd
Hem6KhPkD7f3Pxuh+ZgphOp/lM0tYLDmoxZp/PhLxQX3N2qmXWS5fy4uBWpreoRJ
FbZnyN2JlnAW4R+ba8HJR+7cqWIlqC3AFRsNLswRPn5s2k1Pc/PqtXx3kPNhdupj
miB/pGtI6RhWHuhkkOZuFwtviQKBgQDG3zvoFaLOIAgRfkYrsV8V4iRUlbcCT1TS
dOrqKx54gHAs0yTQqLSGwOjpQC4V/nQKxi54Ybu+aZ1A6IaNqkL5zIGnDNIJQlas
E06D3LytVQM1dOCY5qz5xOqCJtxIL0fiMdTckenChL6ldufelVHRiN1Llv/xcoQL
g+ent6VrxQKBgA9LuUy5CfxA5eTEO/xon9taN+pycUdOFXSA7adQYupVKmERapmY
USwKHeSWFOp98y5FvOiUIuDpjJLfV4Z4FkvglRv6T8XKRgX8EIfzUqF/dUxE7J8H
PbW+HYHHbNWNyYulSksN57i37F2QFVTUb+CNNjeAhAea+xjymUzlw+ExAoGAdr1u
7WGNtXjWmGtGxmu/FDfT7VT+0jg/svDwGiToqpY1Y+4luxgfwZ2I80vIuIUXEB/I
O0RPbp9srwam4Aratn9uoik7dx/O1Csq4/x2AyARLGe+ekyw1ujGBDPjro3cY6fR
KmlMo0HS+sSGKRYKpgsL5kggRS9Uu/Nj63XxJOkCgYBaWOYoHpq7cJH2t0iHPjOi
BlHBEt1dn4v9tOtAYfsU/tH3NLMhae7riq69o5Tsrm5X2SuMF8krTydRPvXsEIX7
kPPIzHcWjpjWzIBD5v7cU+jjdqXDwtVlbbWBkFXBpzLh3jpQ+tz5y5TJ/0DXGrWo
jTiQFMRVfzEWCncLODqywA==
-----END PRIVATE KEY-----

52
config/nginx/domainconfig.cf
View File

@@ -2,20 +2,20 @@
server {
listen 80;
server_name www.DOMAINNAME;
return 301 http://DOMAINNAME$request_uri;
server_name www.$domain;
return 301 http://$domain\$request_uri;
}
server {
listen 80;
listen [::]:80;
root /var/www/DOMAINNAME/html;
root /var/www/$domain/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name DOMAINNAME;
#return 301 $scheme:/$domain$request_uri; Redirect to non-www
#return 301 https://domein.nl; Redirect to other domain
server_name $domain;
#return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
#return 301 https://domein.nl$request_uri; Redirect to other domain
#add_header X-Cache "$upstream_cache_status";
#add_header X-Cache "\$upstream_cache_status";
#netdata here
@@ -28,32 +28,32 @@ server {
# location /rspamd {
# proxy_pass http://127.0.0.1:11334/;
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host \$host;
# proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
#}
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
#try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
#try_files \$uri \$uri/ =404;
try_files \$uri \$uri/ /index.php\$is_args\$args;
#try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
expires max;
log_not_found off;
add_header Cache-Control "public, no-transform";
}
location ~ \.php$ {
location ~ \.php\$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpPHPVER-fpm.sock;
fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
#fastcgi_cache MYAPP;
#fastcgi_cache_valid 200 302 301 1m;
#fastcgi_cache_valid 404 1m;
#fastcgi_cache_bypass $no_cache;
#fastcgi_no_cache $no_cache;
#fastcgi_cache_bypass \$no_cache;
#fastcgi_no_cache \$no_cache;
#fastcgi_cache_revalidate on;
#fastcgi_cache_background_update on;
#fastcgi_cache_lock on;
@@ -73,25 +73,25 @@ server {
}
#Cache everything by default
set $no_cache 0;
set \$no_cache 0;
#Don't cache POST requests
if ($request_method = POST) {
set $no_cache 1;
if (\$request_method = POST) {
set \$no_cache 1;
}
#Don't cache if the URL contains a query string
if ($query_string != "") {
set $no_cache 1;
if (\$query_string != "") {
set \$no_cache 1;
}
#Don't cache the following URLs
if ($request_uri ~* "/(administrator/|login.php)") {
set $no_cache 1;
if (\$request_uri ~* "/(administrator/|login.php)") {
set \$no_cache 1;
}
#Don't cache if there is a cookie called PHPSESSID
if ($http_cookie = "PHPSESSID") {
set $no_cache 1;
if (\$http_cookie = "PHPSESSID") {
set \$no_cache 1;
}
}

206
config/nginx/site-enabled
View File

@@ -1,206 +0,0 @@
#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
server {
listen 80;
server_name www.mail.ictdownwerk.com;
return 301 http://mail.ictdownwerk.com$request_uri;
}
server {
root /var/www/mail.ictdownwerk.com/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name mail.ictdownwerk.com;
#return 301 $scheme:/$domain$request_uri; Redirect to non-www
#return 301 https://domein.nl; Redirect to other domain
#add_header X-Cache "$upstream_cache_status";
#netdata here
gzip on;
gzip_proxied any;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
gzip_comp_level 2;
gzip_disable "msie6";
gzip_buffers 16 8k;
# location /rspamd {
# proxy_pass http://127.0.0.1:11334/;
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#}
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
#try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
expires max;
log_not_found off;
add_header Cache-Control "public, no-transform";
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
#fastcgi_cache MYAPP;
#fastcgi_cache_valid 200 302 301 1m;
#fastcgi_cache_valid 404 1m;
#fastcgi_cache_bypass $no_cache;
#fastcgi_no_cache $no_cache;
#fastcgi_cache_revalidate on;
#fastcgi_cache_background_update on;
#fastcgi_cache_lock on;
#fastcgi_cache_use_stale updating;
#fastcgi_buffer_size 128k;
#fastcgi_buffers 256 16k;
#fastcgi_busy_buffers_size 256k;
#fastcgi_temp_file_write_size 256k;
}
location ~ /\.ht {
deny all;
}
location /phpmyadmin {
index index.php;
}
#Cache everything by default
set $no_cache 0;
#Don't cache POST requests
if ($request_method = POST) {
set $no_cache 1;
}
#Don't cache if the URL contains a query string
if ($query_string != "") {
set $no_cache 1;
}
#Don't cache the following URLs
if ($request_uri ~* "/(administrator/|login.php)") {
set $no_cache 1;
}
#Don't cache if there is a cookie called PHPSESSID
if ($http_cookie = "PHPSESSID") {
set $no_cache 1;
}
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mail.ictdownwerk.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.ictdownwerk.com/privkey.pem; # managed by Certbot
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
}
server {
if ($host = mail.ictdownwerk.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
root /var/www/mail.ictdownwerk.com/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name mail.ictdownwerk.com;
#return 301 $scheme:/$domain$request_uri; Redirect to non-www
#return 301 https://domein.nl; Redirect to other domain
#add_header X-Cache "$upstream_cache_status";
#netdata here
gzip on;
gzip_proxied any;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
gzip_comp_level 2;
gzip_disable "msie6";
gzip_buffers 16 8k;
# location /rspamd {
# proxy_pass http://127.0.0.1:11334/;
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#}
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
#try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
expires max;
log_not_found off;
add_header Cache-Control "public, no-transform";
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
#fastcgi_cache MYAPP;
#fastcgi_cache_valid 200 302 301 1m;
#fastcgi_cache_valid 404 1m;
#fastcgi_cache_bypass $no_cache;
#fastcgi_no_cache $no_cache;
#fastcgi_cache_revalidate on;
#fastcgi_cache_background_update on;
#fastcgi_cache_lock on;
#fastcgi_cache_use_stale updating;
#fastcgi_buffer_size 128k;
#fastcgi_buffers 256 16k;
#fastcgi_busy_buffers_size 256k;
#fastcgi_temp_file_write_size 256k;
}
location ~ /\.ht {
deny all;
}
location /phpmyadmin {
index index.php;
}
#Cache everything by default
set $no_cache 0;
#Don't cache POST requests
if ($request_method = POST) {
set $no_cache 1;
}
#Don't cache if the URL contains a query string
if ($query_string != "") {
set $no_cache 1;
}
#Don't cache the following URLs
if ($request_uri ~* "/(administrator/|login.php)") {
set $no_cache 1;
}
#Don't cache if there is a cookie called PHPSESSID
if ($http_cookie = "PHPSESSID") {
set $no_cache 1;
}
}

1
config/sieve/default.sieve
View File

@@ -1,5 +1,4 @@
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Spam";
stop;
}

104
config/spamassassin/local.cf
View File

@@ -1,104 +0,0 @@
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
# Add *****SPAM***** to the Subject header of spam e-mails
#
#rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
report_safe 0
# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
# Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0
# Use Bayesian classifier (default: 1)
#
use_bayes 1
use_bayes_rules 1
# Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
# them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on
# the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST on
# shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on
# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
skip_rbl_checks 0
#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1
#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf
#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
endif # Mail::SpamAssassin::Plugin::Shortcircuit

34
config/spamassassin/spamassassin
View File

@@ -1,34 +0,0 @@
# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=1
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir --username spamd -H /var/log/spamassassin -s /var/log/spamassassin/spamd.log"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
#NICE="--nicelevel 15"
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1

149
installer.sh
View File

@@ -1,6 +1,7 @@
###==========================================###
## Ubuntu 18.04 Mailserver installer ##
###==========================================###
###===========================================================
## Ubuntu 18.04 Mailserver installer
###===========================================================
##----------##
# Menu #
@@ -19,18 +20,19 @@
# Static-Vars #
##-----------------##
echo "Static-Vars"
domain=ictdownwerk.com
domain=ict-dagbesteding.nl
password=JW9t9ipdgLrWvMqHq7hX
email=admin@ictdagbesteding.nl
phpver=7.3
domonly=${domain}
domain=mail.${domain}
branch=omega
branch=alpha
dhparam=1024
##----------------##
# Pre-Config #
##----------------##
echo "Pre-Config"
hostnamectl set-hostname $domain
apt update
add-apt-repository universe -y
@@ -43,22 +45,23 @@ mkdir -p /etc/nginx
mkdir -p /var/www/"$domain"/html
chmod -R 755 /var/www
##-------------##
# Debloat #
##-------------##
apt autoremove --purge lxcfs lxd lxd-client geoip-database snapd -y
##-----------------------##
# Html Folder Perms #
##-----------------------##
echo "Html Folder Perms"
chown -R www-data:www-data /var/www/"$domain"/html
##-----------##
# NGINX #
##-----------##
echo "NGINX"
#installing nginx from apt
apt install -y nginx
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Web/raw/branch/master/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
cat <<EOF > /etc/nginx/sites-available/"$domain"
#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
@@ -178,6 +181,7 @@ source /tmp/mysql-8.0.sh
##------------------------------##
# MySQL_Secure_Installation #
##------------------------------##
mysqladmin -u root password "$password"
mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''"
mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
@@ -196,10 +200,12 @@ mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
##------------------##
# PostfixADMIN #
##------------------##
echo "PostfixADMIN"
apt install php${phpver} php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline -y
apt install libc-client2007e mlock php${phpver}-common php${phpver}-imap -y
mkdir -p /var/www/"$domain"/html/postfixadmin/templates_c
wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
wget -q -t7 https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.1/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
tar -xf /tmp/postfixadmin.tar.gz -C /var/www/"$domain"/html/postfixadmin --strip-components=1
chmod 755 -R /var/www/"$domain"/html/postfixadmin/templates_c
chown -R www-data: /var/www/"$domain"/html/
@@ -210,40 +216,20 @@ bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add sup
groupadd -g 5000 vmail
useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail
##--------------------##
# Certbot (Auto) #
##--------------------##
##-------------##
# Certbot #
##-------------##
#add-apt-repository ppa:certbot/certbot -y
#apt install -y python-certbot-nginx
mkdir -p /etc/letsencrypt/live/$domain/
#certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
#echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
#chmod 777 -R /etc/ssl/certs/dhparam.pem
##----------------------##
# Certbot (Manual) #
##----------------------##
mkdir -p /etc/letsencrypt/live/$domain/
sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam"
chmod 777 -R /etc/letsencrypt/ssl-dhparams.pem
chmod 777 -R /etc/ssl/certs/dhparam.pem
chmod 777 -R /etc/letsencrypt/live/$domain/cert.pem
chmod 777 -R /etc/letsencrypt/live/$domain/chain.pem
chmod 777 -R /etc/letsencrypt/live/$domain/fullchain.pem
chmod 777 -R /etc/letsencrypt/live/$domain/privkey.pem
chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
chmod 755 -R /etc/ssl/certs/dhparam.pem
systemctl restart nginx
##-----------------------##
# Postfix Installer #
@@ -324,79 +310,10 @@ chmod +x /usr/local/bin/quota-warning.sh
##--------------------------------------##
apt install dovecot-sieve dovecot-managesieved -y
mkdir -p /etc/dovecot/sieve/
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/dovecot/15-lda.conf -O /etc/dovecot/conf.d/15-lda.conf
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/90-sieve.conf -O /etc/dovecot/conf.d/90-sieve.conf
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/sieve/default.sieve -O /etc/dovecot/sieve/default.sieve
chown vmail:vmail /etc/dovecot/sieve/ -R
chgrp dovecot /etc/dovecot/conf.d/90-sieve.conf
sievec /etc/dovecot/sieve/default.sieve
chgrp dovecot /etc/dovecot/sieve/default.svbin
##------------------##
# Spamassassin #
##------------------##
apt install spamassassin spamc razor pyzor -y
sed -i -e 's/# report_safe 1/report_safe 0/' -e 's/# required_score 5.0/required_score 5.0/' -e 's/endif # Mail::SpamAssassin::Plugin::Shortcircuit//' /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf
echo "skip_rbl_checks 0" >> /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf
echo "#pyzor" >> /etc/spamassassin/local.cf
echo "use_pyzor 1" >> /etc/spamassassin/local.cf
echo "pyzor_path /usr/bin/pyzor" >> /etc/spamassassin/local.cf
echo "pyzor_add_header 1" >> /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf
echo "#razor" >> /etc/spamassassin/local.cf
echo "use_razor2 1" >> /etc/spamassassin/local.cf
echo "razor_config /etc/razor/razor-agent.conf" >> /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf
echo "#bayes" >> /etc/spamassassin/local.cf
echo "use_bayes 1" >> /etc/spamassassin/local.cf
echo "use_bayes_rules 1" >> /etc/spamassassin/local.cf
echo "bayes_auto_learn 1" >> /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf
echo "endif # Mail::SpamAssassin::Plugin::Shortcircuit" >> /etc/spamassassin/local.cf
##------------##
# ClamAV #
##------------##
apt install clamav clamav-daemon clamsmtp libclamunrar7 clamdscan -y
chown -R clamav:clamav /var/log/clamav
chown -R clamav:clamav /var/lib/clamav
chmod 777 -R /var/lib/clamav
##------------##
# Amavis #
##------------##
apt install amavisd-new -y
apt install zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl -y
sed -i -e 's/@bypass/'@bypass'/' -e 's/ / /' /etc/amavis/conf.d/15-content_filter_mode
adduser clamav amavis
sed -i 's/clamd.conf/'clamd.conf'/g' /etc/clamav/freshclam.conf
echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/main.cf
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'
echo "" >> /etc/postfix/master.cf
echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/master.cf
echo "amavis unix - - - - 2 smtp" >> /etc/postfix/master.cf
echo " -o smtp_data_done_timeout=1200" >> /etc/postfix/master.cf
echo " -o smtp_send_xforward_command=yes" >> /etc/postfix/master.cf
echo "127.0.0.1:10025 inet n - - - - smtpd" >> /etc/postfix/master.cf
echo " -o content_filter=" >> /etc/postfix/master.cf
echo " -o local_recipient_maps=" >> /etc/postfix/master.cf
echo " -o relay_recipient_maps=" >> /etc/postfix/master.cf
echo " -o smtpd_restriction_classes=" >> /etc/postfix/master.cf
echo " -o smtpd_client_restrictions=" >> /etc/postfix/master.cf
echo " -o smtpd_helo_restrictions=" >> /etc/postfix/master.cf
echo " -o smtpd_sender_restrictions=" >> /etc/postfix/master.cf
echo " -o smtpd_recipient_restrictions=permit_mynetworks,reject" >> /etc/postfix/master.cf
echo " -o mynetworks=127.0.0.0/8" >> /etc/postfix/master.cf
echo " -o strict_rfc821_envelopes=yes" >> /etc/postfix/master.cf
echo " -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks" >> /etc/postfix/master.cf
echo " -o smtpd_bind_address=127.0.0.1" >> /etc/postfix/master.cf
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/15-content_filter_mode -O /etc/amavis/conf.d/15-content_filter_mode
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/20-debian_defaults -O /etc/amavis/conf.d/20-debian_defaults
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/21-ubuntu_defaults -O /etc/amavis/conf.d/21-ubuntu_defaults
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/50-user -O /etc/amavis/conf.d/50-user
chown vmail:vmail /etc/dovecot/sieve/ -R
##--------------##
# Rainloop #
@@ -417,24 +334,12 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
systemctl restart fail2ban
##---------------------------------##
# Unattended Security Updates #
##---------------------------------##
wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/installer.sh -O /tmp/unattended.sh
source /tmp/unattended.sh
##-----------------------##
# Enabling Services #
##-----------------------##
systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
systemctl enable postfix.service postfix@-.service dovecot.service fail2ban.service
##-----------------------##
# Starting Services #
##-----------------------##
systemctl restart nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
##------------------##
# Final Update #
##------------------##
apt update
apt upgrade -y
systemctl restart postfix.service postfix@-.service dovecot.service fail2ban.service

58
mysql-8.0.sh Normal file
View File

@@ -0,0 +1,58 @@
##------------##
# MySQL #
##------------##
export DEBIAN_FRONTEND=noninteractive
apt install gnupg -y
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-codename select bionic'
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-distro select ubuntu'
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-url string http://repo.mysql.com/apt/'
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-preview select '
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-product select Ok'
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-server select mysql-8.0'
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-tools select '
debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/unsupported-platform select abort'
debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $password"
debconf-set-selections <<< "mysql-community-server mysql-community-server/re-root-pass password $password"
debconf-set-selections <<< "mysql-community-server mysql-server/default-auth-override select Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)"
wget https://dev.mysql.com/get/mysql-apt-config_0.8.13-1_all.deb -O /tmp/mysql-apt-conf.deb
dpkg -i /tmp/mysql-apt-conf.deb
apt-get update
apt-get install -y mysql-server
rm /etc/mysql/mysql.conf.d/mysqld.cnf
cat > /etc/mysql/mysql.conf.d/mysqld.cnf <<- "EOF"
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
innodb_buffer_pool_size = 1G # (adjust value here, 50%-70% of total RAM)
innodb_log_file_size = 256M
innodb_flush_log_at_trx_commit = 1 # may change to 2 or 0
innodb_flush_method = O_DIRECT
bind-address = 127.0.0.1
key_buffer_size = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
#max_connections = 100
#table_open_cache = 64
#innodb-thread-concurrency = 10
log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
EOF
systemctl restart mysql
systemctl enable mysql